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I. Real Party in Interest 

The assignee of the present application is Hewlett-Packard Development Company, 
L.P. 
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II. Related Appeals and Interferences 
There are no related appeals or interferences known to the Appellant. 
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III. Status of Claims 
Claims 1-33 are rejected. This Appeal involves Claims 1-33. 
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IV. Status of Amendments 



All proposed amendments have been entered. An amendment subsequent to the Final 
Action has not been filed. 
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V. Summary of Claimed Subject Matter 



Independent Claims 1, 12 and 23 of the present application pertains to a method and 
system for responding to network intrusions. 

At least one embodiment of Claim 1 "A method for responding to network intrusions", 
is depicted in Flowchart 4. In one embodiment, as shown at least at 410 of Figure 4 and page 

16 lines 1 1-18, an intrusion detection system (IDS) receives an alert from an IDS sensor located 
in a network of computing resources, wherein the IDS alert indicates an unauthorized intrusion 
upon a remotely located computing resource in the network of computing resources. At 420 of 
Figure 4 and page 16 lines 24-29 identifies the IDS alert. At 430 of Figure 4 and page 17 lines 
7-9, one embodiment determines an appropriate response to the IDS alert that is identified at a 
location separate from the remotely located computing resource so that the determining the 
appropriate response is unaffected by the unauthorized intrusion. At 440 of Figure 4 and page 

17 lines 7-9, one embodiment automatically implements the appropriate response to mitigate 
damage to the network of computing resources from the unauthorized intrusion by isolating the 
remotely located computing resource. 

In Claim 12 and at Figure 4, "a method for responding to network intrusions" is 
recited and depicted in Flowchart 4. In one embodiment, as shown at least at 410 of Figure 4 
and page 16 lines 1 1-18, an intrusion detection system (IDS) receives an alert from an IDS 
sensor in a network of computing resources at a location separate from an infected computing 
resource, wherein the IDS alert indicates an unauthorized intrusion upon the infected 
computing resource in the network of computing resources, wherein implementation of a 
response to the IDS alert is unaffected by the unauthorized intrusion. 

At 440 of Figure 4 and page 17 lines 9-24, one embodiment responds to the IDS alert 
by automatically interfacing with at least one switch in the network of computing resources to 
virtually reconfigure the at least one switch, an associated switch, in order to virtually isolate 
the computing resource from remaining computing resources in the network of computing 
resources. 

At 540 and 550 of Figure 5 and page 19 lines 19-27, one embodiment responds to the 
IDS alert by automatically interfacing with a power controller that controls power to the 
computing resource to shut power to the computing resource. 

In Claim 23 and at method 400 of Figure 4, "a computer system of page 6, lines 18-19 
and page 7, lines 1-21 comprising: a bus page 6, line 22 for communicating information 
associated with a method (method 400 of Figure 4) for responding to network intrusions; a 
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processor page 6, line 22 coupled to the bus for processing the information associated with the 
method (method 400 of Figure 4 and page 16, line 5) for responding to network intrusions; and 
a computer readable memory (page 6, line 22-24) coupled to the processor containing program 
instructions, that when executed by the processor, implement the method (method 400 of 
Figure 4) for responding to network intrusions" is recited and depicted in Flowchart 4. 

In one embodiment, as shown at least at 410 of Figure 4 and page 16 lines 1 1-18, an 
intrusion detection system (IDS) receives an alert from an IDS sensor located in a network of 
computing resources, wherein the IDS alert indicates an unauthorized intrusion upon a 
remotely located computing resource in the network of computing resources. At 420 of Figure 
4 and page 16 lines 24-29 identifies the IDS alert. At 430 of Figure 4 and page 17 lines 7-9, 
one embodiment determines an appropriate response to the IDS alert that is identified at a 
location separate from the remotely located computing resource so that the determining the 
appropriate response is unaffected by the unauthorized intrusion. At 440 of Figure 4 and page 
17 lines 7-9, one embodiment automatically implements the appropriate response to mitigate 
damage to the network of computing resources from the unauthorized intrusion by isolating the 
remotely located computing resource. 
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VI. Grounds of Rejection to Be Reviewed on Appeal 



1. Claims 1-33 stand rejected under 35 U.S.C. § 102(e) as being anticipated by 
Talpade et al. (U.S. Patent Publication No. 2004/0148520), hereafter referred to as Talpade. 
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VII. Argument 



L Whether Claims 1-33 are anticipated by Tabade under 35 U.S.C. § 102(e). 

A. Claim Features are not Met by the Cited References 

Appellant respectfully submits that the rejection of Claims 1-33 is improper as the 
rejection of Claims 1-33 does not satisfy the requirements of a prima facie case of 
anticipation under 35 U.S.C. § 102(e) as claim features are not met by the cited reference. 

Appellant respectfully submits that Claims 1 (and similarly Claims 12 and 23) recite, 
"A method for responding to network intrusions, comprising: 

a) receiving an intrusion detection system (IDS) alert from an IDS sensor located in a 
network of computing resources, wherein said IDS alert indicates an unauthorized intrusion 
upon a remotely located computing resource in said network of computing resources; 

b) identifying said IDS alert; 

c) determining an appropriate response to said IDS alert that is identified at a location 
separate from said remotely located computing resource so that said determining said 
appropriate response is unaffected by said unauthorized intrusion; and 

d) automatically implementing said appropriate response to mitigate damage to said 
network of computing resources from said unauthorized intrusion by isolating said remotely 
located computing resource." 

According to the Federal Circuit, "[a]nticpation requires the disclosure in a single 
prior art reference of each claim under consideration" (W.L. Gore & Assocs. v. Garlock Inc., 
721 F.2d 1540, 220 USPQ 303, 313 (Fed. Cir. 1983)). However, it is not sufficient that the 
reference recite all the claimed elements. As stated by the Federal Circuit, the prior art 
reference must disclose each element of the claimed invention " arranged as in the claims " 
(emphasis added; Lindermann Maschinenfabrik GmbH v. American Hoist & Derrick Co., 
730 F.2d 1452, 221 USPQ 481, 485 (Fed. Cir. 1984)). 

Appellant respectfully submits that Talpade does not teach or suggest, ". . .isolating 
said remotely located computing resource," as recited by Claim 1 . For example, network 
traffic is sent from a first computer to a second computer through an internet service provider 
(ISP). From line 14 of paragraph 0008 to the end of paragraph 0010, Talpade states, 
When the sensor detects an attack, it notifies an analysis engine located in the 
ISP. . .The analysis engine . . . advertises new routing information to the border and 
edge routers . . . The new routing information instructs the border and edge routers to 
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reroute all DDoS, and non-DDoS traffic... The redirected DDoS and non-DDoS traffic 
from the border and edge routers is automatically passed through these filters, 
removing the DDoS traffic . The non-DDoS traffic is forwarded back onto the ISP 
network and routed towards the customer network (emphasis added). 

Talpade teaches reconfiguring routers to reroute traffic away from the network being 
protected. Talpade runs inside of an ISP network and teaches specifically about protecting 
the ISP's customer's network from attacks which originate outside that customer's network. 
Talpade cannot protect the customer's network from attacks that originate from within the 
customer's network. For example, Talpade states in paragraph 0017, "In accordance with our 
invention, the sensors 234/236 monitor all traffic entering the customer networks 204/2o6 
from the ISP network " (emphasis added). 

In contract, Claim 1 recites, "isolating said remotely located computing resource." As 
a result, Claim 1 provides protecting assets within the customer's network regardless of the 
source of the attacks, and in particular protecting against attacks originating from within the 
customer's network. Further, implementations of an embodiment as recited by Claim 1 can 
reside anywhere in a network topology, whereas as already stated, Talpade is limited to 
residing within an ISP. Lastly, by "isolating said remotely located computing resource" the 
resource can continue to operate even after it has been isolated, for example by removing its 
network connections, which means that its state may be saved, and/or enables someone to 
examine an intrusion, such as malicious code, in action (for example by using the system 
console to log in) without fear of the "unauthorized intrusion" spreading. 

Appellant respectfully points out that by making note of things that "isolating said 
remotely located computing resource" provides for; Appellant is not reading limitations into 
Claim 1 . Claim 1 recites "isolating said remotely located computing resource," which 
provides for protecting assets within the customer's network regardless of the source of the 
attacks, provides for an implementation that can reside anywhere in a network topology, and 
provides for the isolated resource to continue to operate even after it has been isolated. 

Appellant further notes that by teaching that it is difficult to mitigate DDoS attacks at 
the target (refer to lines 17 and 18 of paragraph 0007), teaching that conventional systems 
require dedicated hardware (refer to lines 1-4 of paragraph 0007) in combination with 
teaching rerouting at the ISP; Talpade teaches away from "isolating said remotely located 
computing resource." 
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The Office Action cited paragraphs 0023-0027 and elements 234, 236, 204 in Figure 2 
of Talpade against Claim 1. Paragraphs 0023-0027 and elements 234, 236, 204 in Figure 2 of 
Talpade suffer from the same deficiency that line 14 of paragraph 0008 to the end of 
paragraph 0010 of Talpade suffer from. 

Response to Arguments 

In the response to arguments section, on pages 2 and 3, there is the statement that 
Talpade teaches "isolating the remotely located computing resource" in the abstract. On page 
3 the first paragraph of the Office Action quotes "[A]t the filter router, the attack traffic and 
non-attack traffic are automatically filtered to remove the attack traffic. The non-attack 
traffic is passed back onto the ISP network for routing towards the customer network." 

Then, on page 3 the second and third paragraphs of the Office Action then twist the 
Abstract statement into directions it in no way anticipates. Specifically, the Office Action 
recognizes that Claims 1 (and similarly 12 and 23) states "said IDS alert indicates an 
unauthorized intrusion upon a remotely located computing resource in said network of 
computing resources... automatically implementing said appropriate response to mitigate 
damage to said network of computing resources from said unauthorized intrusion by isolating 
said remotely located computing resource" (emphasis added). 

However, the Office Action incorrectly states at last sentence of paragraph 2 and 
paragraph 3 of page 3 that "therefore by doing so, the remotely located computing 
resource/customer network is isolated from receiving any traffic what so ever, until the filter 
router, filters and remove the attack traffic. It is only after the attack traffic/intrusion is 
filtered at the filter router that the non-attack traffic is passed back onto the ISP network for 
routing towards the customer network " (emphasis added). 

First, Appellant understands this to be an incorrect reading of Talpade. Specifically, 
Appellant understands Talpade to state, "[A]t the filter router, the attack traffic and non- 
attack traffic are automatically filtered to remove the attack traffic. The non-attack traffic is 
passed back onto the ISP network for routing towards the customer network." There is 
absolutely no mention, anticipation or teaching in this statement that indicates that "[I]t is 
only after the attack traffic/intrusion is filtered at the filter router that the non-attack traffic is 
passed back onto the ISP network for routing towards the customer network " as the present 
Office Action states (emphasis added). 
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In contrast, Appellant submits that it is more likely that Talpade filters the traffic in 
some type of order, wherein when a non-attack traffic is recognized it is passed back and 
when attack traffic is recognized it is filtered. The other option as suggested by the present 
Office Action would require a significant amount of storage to store all non-attack traffic 
while waiting for all attack traffic is filtered. Moreover, the Office Action does not state 
where Talpade teaches how the filter knows when all the attack traffic is filtered. 

For this reason, Appellant respectfully submits that the reading of Talpade provided in 
the response to Arguments section is incorrect. 

Moreover, Claims 1 (and similarly 12 and 23) states "said IDS alert indicates an 
unauthorized intrusion upon a remotely located computing resource in said network." In 
other words, the remotely located computing resource has an unauthorized intrusion upon it 
and is isolated. This is significantly different than the features relied upon in the present 
Office Action. Specifically, the present Office Action states that the mitigation of Talpade is 
to isolate the computing resource. 

However, Appellant respectfully submits that Talpade actually states, "when an attack 
is detected, the sensor notifies an analysis engine within the ISP network to mitigate the 
attack . The analysis engine configures a filter router to advertise new routing information to 
the border and edge routers of the ISP network. The new routing information instructs the 
border and edge routers to reroute attack traffic and non-attack traffic destined for the 
customer network to the filter router . At the filter router, the attack traffic and non-attack 
traffic are automatically filtered to remove the attack traffic . The non-attack traffic is passed 
back onto the ISP network for routing towards the customer network." 

As such, Appellant respectfully submits, as stated herein, that Talpade does not teach 
or anticipate the mitigation of damage is to isolate the remotely located computing resource. 
In contrast, Talpade anticipates the mitigation of the attack is performed by rerouting all 
traffic to a filter and filtering. 

For these reasons, Appellant respectfully points out that Talpade does not teach or 
suggest, among other things . .isolating said remotely located computing resource," as 
recited by Claim 1. Independent Claims 12 and 23 should be patentable for similar reasons 
that Claim 1 should be patentable. Further Claim 12 recites "at least one switch," and "a 
power controller." The Office Action failed to cite portions of any reference that teach "at 
least one switch" and "a power controller." 
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Claims 2-1 1 depend on Claim 1. Claims 13-22 depend on Claim 12. Claims 24-33 
depend on Claim 23. These dependent claims include all of the limitations of their respective 
independent claims. Further, these dependent claims include additional limitations which 
further make them patentable. 

In addition, Appellant points out that Claims 6 and 28 provide for powering off a 
resource, such as a host computer system, which prevents further damage to the resource, for 
example by continued deletion of data, and prevents further spread of an intrusion, for 
example by malicious software on that resource. 

In paragraph 9 of the office action, the examiner states that Talpade, in paragraph 
0027, discloses a method to power off the computing resource. Appellant respectfully 
submits that Talpade does not disclose a method to power off a computing resource, nor 
power off anything else, neither in paragraph 0027 nor anywhere else in the application. The 
first sentence of paragraph 0027 states ". . . assists in shutting-down DDoS attacks at the edge 
of the ISP network." 

This is very different from "shutting power" to a computing resource. Talpade "shuts 
down" the attack by rerouting packets. 

In contrast, Claims 6 and 28 provide for powering off the computing resource(s) 
which have been affected by an unauthorized intrusion, such as malicious code. It is clear 
that Talpade doesn't use the words "shut down" to mean powering off his "targeted" 
resources, because they are located outside of the ISP network at the Peer Autonomous 
Systems 210 and 220, and are not under control of the ISP; thus, the ISP would have no 
capability to power them off. Therefore, Talpade actually teaches away from shutting power 
to a computer resource. 

Therefore, Appellant points out that Talpade does not teach or suggest the features as 
recited by Claims 6 and 28. As such, Appellant respectfully submits Claims 6 and 28 
overcome the rejection under 35 U.S.C. § 102(e) and request that the rejection of Claims 6 
and 28 be overturned. 

With respect to Claims 7-10, and 29-32, Appellant points out that Claims 7-10, and 
29-32 provide for disabling the switch ports to which the intruded system is directly 
physically attached so that it can't send any traffic at all on any network. In paragraph 10 of 
the office action, the examiner states that Talpade discloses the same method. 
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Appellant respectfully submits that Talpade does not disclose a method to disable the 
switch ports to which the intruded system is directly physically attached. Rather, Talpade 
uses the mechanism of reconfiguring the routers through which the packets are flowing to 
redirect the path those packets will travel. Note that Talpade's system is still connected to all 
of its networks, including Ethernet, SAN, Token Ring, or any others. 

Therefore, Talpade cannot stop the attack at its source ; it merely prevents the attack 
packets from entering the ISP's customer's network , and leaves other networks potentially 
vulnerable. Thus, packets could be sent to other networks, many of which may not have the 
protection offered by the Talpade invention, and data on a SAN could be altered or destroyed 
by malicious software running on Talpade's "targeted" resource, even if the Talpade 
invention were properly and completely implemented in all networks in the entire world. 
Talpade merely prevents the malicious traffic from flowing through the ISP network to the 
customer network. 

In contrast, Claims 7-10 and 24-32 provide for preventing the intruded system from 
communicating to any other system by disabling the switch ports to which the intruded 
system is directly physically attached , which is distinct from and in some cases better than 
rerouting traffic at the routers. For example, the intruded resource can continue to operate 
without network connections, which means that its state may be saved, and/or enables 
someone to examine the malicious code in action (for example by using the system console to 
log in) without fear of spreading for example, an unauthorized intrusion such as an infection. 

Therefore, Appellant points out that Talpade does not teach or suggest the features as 
recited by Claims 7-10 and 24-32. As such, Appellant respectfully submits Claims 7-10 and 
24-32 overcome the rejection under 35 U.S.C. § 102(e) and request that the rejection of 
Claims 7-10 and 24-32 be overturned. 

Additionally, Appellant respectfully submits that Claims 2-11 depend on Claim 1. 
Claims 13-22 depend on Claim 12. Claims 24-33 depend on Claim 23 and that Claims 2-11, 
13-22 and 24-33 recite additional features thereof. Accordingly, Appellant respectfully 
submits that the rejection of Claims 2-11, 13-22 and 24-33 under 35 U.S.C. §102(e) is also 
improper and should be reversed 

In summary, Appellant respectfully submits that the Examiner's rejections of the 
Claims are improper as the rejection of Claims 1-33 does not satisfy the requirements of a 
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prima facie case of anticipation as claim features are not met by the cited reference. 
Accordingly, Appellant points out that the rejection of Claims 1-33 under 35 U.S.C. § 102(e) 
is improper and should be reversed. 
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Conclusion 



Appellant believes that pending Claims 1-33 are directed toward patentable subject 
matter. In particular, Appellant believes that pending Claims 1-33 are not anticipated by 
Talpade et al. 

As such, Appellant submits that Claims 1-33 are patentable and respectfully request 
that the rejection under 35 U.S.C. § 102(e) of Claims 1-33 be reversed. The Appellant wishes 
to encourage the Examiner or a member of the Board of Patent Appeals to telephone the 
Appellant's undersigned representative if it is felt that a telephone conference could expedite 
prosecution. 



Respectfully submitted, 
Wagner Blecher LLP 





John P. Wagner, Jr. 
Registration No.: 35,398 



Wagner Blecher LLP 
Westridge Business Park 
123 Westridge Drive 
Watsonville, CA 95076 



Phone: (408) 377-0500 
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VIII. Appendix - Clean Copy of Claims on App eal 

1. (previously presented) A method for responding to network intrusions, comprising: 

a) receiving an intrusion detection system (IDS) alert from an IDS sensor located in a 
network of computing resources, wherein said IDS alert indicates an unauthorized intrusion 
upon a remotely located computing resource in said network of computing resources; 

b) identifying said IDS alert; and 

c) determining an appropriate response to said IDS alert that is identified at a location 
separate from said remotely located computing resource so that said determining said 
appropriate response is unaffected by said unauthorized intrusion; and 

d) automatically implementing said appropriate response to mitigate damage to said 
network of computing resources from said unauthorized intrusion by isolating said remotely 
located computing resource. 

2. (Original) The method of Claim 1, wherein a) further comprises: 
al) detecting a suspicious intrusion into said computing resource; 
a2) determining said suspicious intrusion is unauthorized; 

a3) generating said IDS alert; and 

a4) sending said IDS alert to an IDS manager that is located remotely from said 
computing resource within said network of computing resources. 

3. (Original) The method of Claim 2, wherein a2) further comprises: 
determining said suspicious intrusion is unauthorized when said suspicious intrusion 

matches with at least one of a list of unauthorized intrusions. 

4. (Original) The method of Claim 2, wherein al) comprises: 

detecting said suspicious intrusion at a host-based intrusion detection system (HIDS) 
sensor located on said computing resource. 

5. (Original) The method of Claim 2, wherein al) comprises: 

detecting said suspicious intrusion at a network-based intrusion detection system 
(NIDS) sensor located within said network of computing resources. 

6. (Original) The method of Claim 1, wherein d) further comprises: 

dl) interfacing with a power controller that controls power to said computing resource 
to shut power to said computing resource. 

7. (Original) The method of Claim 1 , wherein d) further comprises: 
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dl) interfacing with at least one switch, an associated switch, in said network of 
computing resources to virtually reconfigure said associated switch in order to virtually isolate 
said computing resource from remaining computing resources in said network of computing 
resources. 

8. (Original) The method of Claim 7, wherein said associated switch comprises an 
Ethernet switch. 

9. (Original) The method of Claim 7, wherein said associated switch comprises a 
Storage Area Network (SAN) switch. 

10. (Original) The method of Claim 7, wherein said at least one switch comprises a 
SAN switch and an Ethernet switch. 



11. (Original) The method of Claim 1, wherein said network of computing resources 
comprises a provisional data center. 

12. (Original) A method for responding to network intrusions, comprising: 

a) receiving an intrusion detection system (IDS) alert from an IDS sensor in a network 
of computing resources at a location separate from an infected computing resource, wherein 
said IDS alert indicates an unauthorized intrusion upon said infected computing resource in 
said network of computing resources, wherein implementation of a response to said IDS alert is 
unaffected by said unauthorized intrusion; 

b) responding to said IDS alert by automatically interfacing with at least one switch in 
said network of computing resources to virtually reconfigure said at least one switch, an 
associated switch, in order to virtually isolate said computing resource from remaining 
computing resources in said network of computing resources; and 

c) responding to said IDS alert by automatically interfacing with a power controller that 
controls power to said computing resource to shut power to said computing resource. 



13. (Original) The method of Claim 12, wherein a) further comprises: 
al) detecting a suspicious intrusion into said computing resource; 
a2) determining said suspicious intrusion is unauthorized; 
a3) generating said IDS alert; and 

a4) sending said IDS alert to an IDS manager that is located remotely from said 
computing resource within said network of computing resources. 
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14. (Original) The method of Claim 13, wherein a2) further comprises: 
determining said suspicious intrusion is unauthorized when said suspicious intrusion 

matches with at least one of a list of unauthorized intrusions. 

15. (Original) The method of Claim 13, wherein al) comprises: 

detecting said suspicious intrusion at a host-based intrusion detection system (HIDS) 
sensor located on said computing resource. 

16. (Original) The method of Claim 13, wherein al) comprises: 

detecting said suspicious intrusion at a network-based intrusion detection system 
(NIDS) sensor located within said network of computing resources. 

17. (Original) The method of Claim 12, wherein said network of computing resources 
comprises a provisional data center. 

18. (Original) The method of Claim 12, wherein said switch couples said computing 
resource to a virtual local area network. 

19. (Original) The method of Claim 12, wherein said switch comprises an Ethernet 

switch. 

20. (Original) The method of Claim 12, wherein said associated switch comprises a 
Storage Area Network (SAN) switch. 

2 1 . (Original) The method of Claim 12, wherein said at least one switch comprises a 
SAN switch and an Ethernet switch. 

22. (Original) The method of Claim 12, wherein further comprising: 
automatically interfacing with said associated switch in said network of computing 

resources; and 

automatically interfacing with said power controller. 

23. (previously presented) A computer system comprising: 

a bus for communicating information associated with a method for responding to 
network intrusions; 

a processor coupled to said bus for processing said information associated with said 
method for responding to network intrusions; and 
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a computer readable memory coupled to said processor containing program instructions, 
that when executed by said processor, implement said method for responding to network 
intrusions, comprising: 

a) receiving an intrusion detection system (IDS) alert from an IDS sensor located in a 
network of computing resources, wherein said IDS alert indicates an unauthorized intrusion 
upon a remotely located computing resource in said network of computing resources; 

b) identifying said IDS alert; and 

c) determining an appropriate response to said IDS alert that is identified at a location 
separate from said remotely located computing resource so that said determining said 
appropriate response is unaffected by said unauthorized intrusion; and 

d) automatically implementing said appropriate response to mitigate damage to said 
network of computing resources from said unauthorized intrusion by isolating said remotely 
located computing resource. 

24. (Original) The computer system of Claim 23, wherein a) in said method further 
comprises: 

al) detecting a suspicious intrusion into said computing resource; 

a2) determining said suspicious intrusion is unauthorized; 

a3) generating said IDS alert; and 

a4) sending said IDS alert to an IDS manager that is located remotely from said 
computing resource within said network of computing resources. 

25. (Original) The computer system of Claim 24, wherein a2) in said method further 
comprises: 

determining said suspicious intrusion is unauthorized when said suspicious intrusion 
matches with at least one of a list of unauthorized intrusions. 

26. (Original) The computer system of Claim 24, wherein al) in said method 
comprises: 

detecting said suspicious intrusion at a host-based intrusion detection system (HIDS) 
sensor located on said computing resource. 

27. (Original) The computer system of Claim 24, wherein al) in said method 
comprises: 

detecting said suspicious intrusion at a network-based intrusion detection system 
(NIDS) sensor located within said network of computing resources. 
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28. (Original) The computer system of Claim 23, wherein d) in said method further 
comprises: 

dl) interfacing with a power controller that controls power to said computing resource 
to shut power to said computing resource. 

29. (Original) The computer system of Claim 23, wherein d) in said method further 
comprises: 

dl) interfacing with at least one switch, an associated switch, in said network of 
computing resources to virtually reconfigure said associated switch in order to virtually isolate 
said computing resource from remaining computing resources in said network of computing 
resources. 

30. (Original) The computer system of Claim 29, wherein said associated switch 
comprises an Ethernet switch. 

3 1 . (Original) The computer system of Claim 29, wherein said associated switch 
comprises a Storage Area Network (SAN) switch. 

32. (Original) The computer system of Claim 29, wherein said at least one switch 
comprises a SAN switch and an Ethernet switch. 

33. (Original) The computer system of Claim 23, wherein said network of computing 
resources comprises a provisional data center. 
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IX. Evidence Appendix 

No evidence is herein appended. 
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X. Related Proceedings Appendix 
No related proceedings. 
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